Having trouble verifying JWTs created by other sources

[robbie-demuth]

Hello!

I'm using AWS KMS to sign JWTs and am trying to use this library to verify and validate them. I've been following the "Sign a JWT" section of https://aws.amazon.com/blogs/security/how-to-verify-aws-kms-signatures-in-decoupled-architectures-at-scale/ to implementing the signing. I'm able to verify the signed JWTs using the steps in the "Signature verification in Golang" section. I'm also able to verify JWTs signed directly w/ ecdsa.SignASN1(...). I'm not, however, able to verify the signed JWTs using jwt.Parse(...). Doing so results in the following error:

could not verify message using any of the signatures or keys

I am, however, able to verify JWTs built and signed w/ jwt.NewBuilder()...Build() and jwt.Sign(...). Conversely, I'm not able to verify JWTs built and signed w/ jwt.NewBuilder()...Build() directly w/ ecdsa.VerifyASN1(...).

I've attached a simple program that signs JWTs using ecdsa.SignASN1(...), KMS:Sign, and jwt.Sign(...) and attempts to verify them using both ecdsa.VerifyASN1(...) and jwt.Parse(...). In all cases, the JWT headers and payloads are the same, so the issue must be related to how I'm handling the signatures. What am I doing wrong?

Thanks!

package main

import (
	"context"
	"crypto/ecdsa"
	"crypto/elliptic"
	"crypto/rand"
	"crypto/sha512"
	"crypto/x509"
	"encoding/base64"
	"encoding/json"
	"encoding/pem"
	"fmt"
	"github.com/aws/aws-sdk-go-v2/aws"
	"github.com/aws/aws-sdk-go-v2/config"
	"github.com/aws/aws-sdk-go-v2/service/kms"
	"github.com/aws/aws-sdk-go-v2/service/kms/types"
	"os"
	"strings"
	"time"

	"github.com/lestrrat-go/jwx/v2/jwa"
	"github.com/lestrrat-go/jwx/v2/jwt"
)

func main() {
	privateKey, err := ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
	if err != nil {
		panic(fmt.Errorf("failed to generate key pair: %w", err))
	}

	exp := time.Now().Add(time.Hour)
	nbf := time.Now()
	iat := time.Now()

	header := "{\"alg\":\"ES512\",\"typ\":\"JWT\"}"
	payload := fmt.Sprintf(
		"{\"aud\":[\"Appian operator\"],\"exp\":%d,\"hostname\":\"^licensing-ctrl.dev.appian-sites.net$\",\"iat\":%d,\"iss\":\"Appian Corporation\",\"jti\":\"JTI\",\"nbf\":%d,\"sub\":\"SUB\"}",
		exp.Unix(),
		nbf.Unix(),
		iat.Unix(),
	)

	msg := fmt.Sprintf("%s.%s", base64.RawURLEncoding.EncodeToString([]byte(header)), base64.RawURLEncoding.EncodeToString([]byte(payload)))
	hash := sha512.Sum512([]byte(msg))

	//
	// Created manually
	//

	fmt.Printf("Payload:\n%s\n", payload)

	sig, err := ecdsa.SignASN1(rand.Reader, privateKey, hash[:])
	if err != nil {
		panic(fmt.Errorf("failed to sign message hash: %w", err))
	}

	token := []byte(fmt.Sprintf("%s.%s", msg, base64.RawURLEncoding.EncodeToString(sig)))
	fmt.Printf("Token:\n%s\n", token)

	if ok := ecdsa.VerifyASN1(&privateKey.PublicKey, hash[:], sig); !ok {
		fmt.Printf("ERROR: failed to verify message hash\n")
	}

	if _, err := jwt.Parse(
		token,
		// Verify
		jwt.WithKey(jwa.ES512, &privateKey.PublicKey),
		// Validate
		jwt.WithIssuer("Appian Corporation"),
		jwt.WithAudience("Appian operator"),
	); err != nil {
		fmt.Printf("ERROR: failed to parse, verify, or validate token: %s\n", err.Error())
	}

	fmt.Printf("\n")

	//
	// Created using AWS KMS
	//

	publicKeyPem := `-----BEGIN PUBLIC KEY-----
MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBudjjM3r8LhJPgUvZtb+mh1uzjQf/
nMILEvXg6L5ZjapxVLW/6HHFYI7HzSO9DBVgym4jbY2vmGoeL23WpVLHyQMByV5L
ENoZd3bZnvvccjI1fK+h8ta5GZBkkDTTR+vVqavkzVbMjlnlrg+hQkVvD5VfS6a9
PNrkUHAVV83DJcm3rEM=
-----END PUBLIC KEY-----`

	block, _ := pem.Decode([]byte(publicKeyPem))
	if block == nil || block.Type != "PUBLIC KEY" {
		panic("error decoding PEM public key")
	}

	_publicKey, err := x509.ParsePKIXPublicKey(block.Bytes)
	if err != nil {
		panic(fmt.Errorf("error parsing ECDSA public key: %w", err))
	}

	publicKey := _publicKey.(*ecdsa.PublicKey)

	cfg, err := config.LoadDefaultConfig(context.TODO())
	if err != nil {
		panic(fmt.Errorf("failed to load AWS config: %w", err))
	}

	client := kms.NewFromConfig(cfg)

	fmt.Printf("Payload:\n%s\n", payload)

	signInput := kms.SignInput{
		KeyId:            aws.String("alias/prod"),
		Message:          []byte(msg),
		SigningAlgorithm: types.SigningAlgorithmSpecEcdsaSha512,
	}

	signOutput, err := client.Sign(context.TODO(), &signInput)
	if err != nil {
		panic(fmt.Errorf("failed to invoke KMS:Sign: %w", err))
	}

	token = []byte(fmt.Sprintf("%s.%s", msg, base64.RawURLEncoding.EncodeToString(signOutput.Signature)))
	fmt.Printf("Token:\n%s\n", token)

	if ok := ecdsa.VerifyASN1(publicKey, hash[:], signOutput.Signature); !ok {
		fmt.Printf("ERROR: failed to verify message hash\n")
	}

	if _, err := jwt.Parse(
		token,
		// Verify
		jwt.WithKey(jwa.ES512, publicKey),
		// Validate
		jwt.WithIssuer("Appian Corporation"),
		jwt.WithAudience("Appian operator"),
	); err != nil {
		fmt.Printf("ERROR: failed to parse, verify, or validate token: %s\n", err.Error())
	}

	fmt.Printf("\n")

	//
	// Created using github.com/lestrrat-go/jwx
	//

	t, err := jwt.NewBuilder().
		Audience([]string{"Appian operator"}).
		Expiration(exp).
		Claim("hostname", "^licensing-ctrl.dev.appian-sites.net$").
		IssuedAt(iat).
		Issuer("Appian Corporation").
		JwtID("JTI").
		NotBefore(nbf).
		Subject("SUB").
		Build()
	if err != nil {
		panic(fmt.Errorf("failed to build token: %w", err))
	}

	fmt.Printf("Payload:\n")
	if err := json.NewEncoder(os.Stdout).Encode(t); err != nil {
		panic(fmt.Errorf("failed to encode to JSON: %w", err))
	}

	token, err = jwt.Sign(t, jwt.WithKey(jwa.ES512, privateKey))
	if err != nil {
		panic(fmt.Errorf("failed to sign token: %w", err))
	}
	fmt.Printf("Token:\n%s\n", token)

	parts := strings.Split(string(token), ".")
	hash = sha512.Sum512([]byte(strings.Join(parts[0:2], ".")))
	sig, err = base64.RawURLEncoding.DecodeString(parts[2])
	if err != nil {
		panic(fmt.Errorf("ERROR: failed to decode signature: %w", err))
	}

	if ok := ecdsa.VerifyASN1(&privateKey.PublicKey, hash[:], sig); !ok {
		fmt.Printf("ERROR: failed to verify message hash\n")
	}

	if _, err := jwt.Parse(
		token,
		// Verify
		jwt.WithKey(jwa.ES512, &privateKey.PublicKey),
		// Validate
		jwt.WithIssuer("Appian Corporation"),
		jwt.WithAudience("Appian operator"),
	); err != nil {
		fmt.Printf("ERROR: failed to parse, verify, or validate token: %s\n", err.Error())
	}
}

$ go run main.go
Payload:
{"aud":["Appian operator"],"exp":1659028986,"hostname":"^licensing-ctrl.dev.appian-sites.net$","iat":1659025386,"iss":"Appian Corporation","jti":"JTI","nbf":1659025386,"sub":"SUB"}
Token:
eyJhbGciOiJFUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOlsiQXBwaWFuIG9wZXJhdG9yIl0sImV4cCI6MTY1OTAyODk4NiwiaG9zdG5hbWUiOiJebGljZW5zaW5nLWN0cmwuZGV2LmFwcGlhbi1zaXRlcy5uZXQkIiwiaWF0IjoxNjU5MDI1Mzg2LCJpc3MiOiJBcHBpYW4gQ29ycG9yYXRpb24iLCJqdGkiOiJKVEkiLCJuYmYiOjE2NTkwMjUzODYsInN1YiI6IlNVQiJ9.MIGHAkFOoiEvEeW7MA3aUkMBSIkRIMNQOr-dsNyUV_0E8VmJSgxLyOFSy_8mQjrrLJT4DCsLhNlJTlGSi26qY_ssIvDAqwJCASUpmVYvwHbIgdhhy0xzlc_PNM57pQ4YXdVsxjfC-fPUCPN8S9D_jngk010qrS5lvH41sn0IWwPv82LN7wpLV1if
ERROR: failed to parse, verify, or validate token: could not verify message using any of the signatures or keys

Payload:
{"aud":["Appian operator"],"exp":1659028986,"hostname":"^licensing-ctrl.dev.appian-sites.net$","iat":1659025386,"iss":"Appian Corporation","jti":"JTI","nbf":1659025386,"sub":"SUB"}
Token:
eyJhbGciOiJFUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOlsiQXBwaWFuIG9wZXJhdG9yIl0sImV4cCI6MTY1OTAyODk4NiwiaG9zdG5hbWUiOiJebGljZW5zaW5nLWN0cmwuZGV2LmFwcGlhbi1zaXRlcy5uZXQkIiwiaWF0IjoxNjU5MDI1Mzg2LCJpc3MiOiJBcHBpYW4gQ29ycG9yYXRpb24iLCJqdGkiOiJKVEkiLCJuYmYiOjE2NTkwMjUzODYsInN1YiI6IlNVQiJ9.MIGIAkIB8VD_EIkmARaC7OnX_YraH_UCyTLylBYLhSLxqxFqu3OzM6_EJQ1fl6XeDWUSPktb9Jabnw6k8R2h88Q1J9KE95wCQgE4fo7QcoZgIqn-w_xvgyY8dLYNtHtF64xkGL-BPxL6ZwoIFTBhPmhIOPqKKYvrU_XAujax08hO0gsNtWPQILVKYQ
ERROR: failed to parse, verify, or validate token: could not verify message using any of the signatures or keys

Payload:
{"aud":["Appian operator"],"exp":1659028986,"hostname":"^licensing-ctrl.dev.appian-sites.net$","iat":1659025386,"iss":"Appian Corporation","jti":"JTI","nbf":1659025386,"sub":"SUB"}
Token:
eyJhbGciOiJFUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOlsiQXBwaWFuIG9wZXJhdG9yIl0sImV4cCI6MTY1OTAyODk4NiwiaG9zdG5hbWUiOiJebGljZW5zaW5nLWN0cmwuZGV2LmFwcGlhbi1zaXRlcy5uZXQkIiwiaWF0IjoxNjU5MDI1Mzg2LCJpc3MiOiJBcHBpYW4gQ29ycG9yYXRpb24iLCJqdGkiOiJKVEkiLCJuYmYiOjE2NTkwMjUzODYsInN1YiI6IlNVQiJ9.AS5dM8PPOcPZQXqhuekDoAM6Mat_OhSvTuT1aE4cekMc2ahyrLuA_CseXGgeldnxhcZtmZKSk9QJ8TMe_Tq_BWGpATGlon1AdKznFHQWWgEhmk-fpfBb48G9YfLDh47tCzjbEMGVqr50BlvNZfhUfg1ycHyvOJCcQflvR3zX7pSI_Fk7
ERROR: failed to verify message hash
2022/07/28 12:23:07 now = 2022-07-28 16:23:07 +0000 UTC, ttv = 2022-07-28 16:23:06 +0000 UTC, skew = 0s, trunc = 1s

[lestrrat]

The ASN1 bit seems unnecessary. You only need to deal with ASN.1 when you are dealing with something in ASN.1 format, and JWTs are never ASN.1 encoded as far as I know.

What coulud be ASN.1 encoded are the keys themselves. For example, your key in the code publicKeyPem is probably ASN.1 encoded and then base64 encoded. Again, tokens are not ASN.1 encoded, so including the result of sig, err := ecdsa.SignASN1(rand.Reader, privateKey, hash[:]) is clearly not the way to go.

I wasn't quite sure what the intention of that ASN.1 deal was (sorry, didn't look through the AWS document in its entirety), but just for comparison, this works without any problems:

package jwx_test

import (
  "crypto/ecdsa"
  "crypto/elliptic"
  "crypto/rand"
  "encoding/json"
  "fmt"
  "log"
  "testing"
  "time"

  "github.com/lestrrat-go/jwx/v2/jwa"
  "github.com/lestrrat-go/jwx/v2/jwt"
)

func TestGH785(t *testing.T) {
  privateKey, err := ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
  if err != nil {
    panic(fmt.Errorf("failed to generate key pair: %w", err))
  }

  exp := time.Now().Add(time.Hour)
  nbf := time.Now()
  iat := time.Now()

  tok, err := jwt.NewBuilder().
    Expiration(exp).
    NotBefore(nbf).
    IssuedAt(iat).
    JwtID(`JTI`).
    Subject(`SUB`).
    Issuer(`Appian Corporation`).
    Claim(`hostname`, `^licensing-ctrl.dev.appial-sites.net$`).
    Build()
  if err != nil {
    panic(fmt.Errorf(`failed to create token: %w`, err))
  }

  signed, err := jwt.Sign(tok, jwt.WithKey(jwa.ES512, privateKey))
  if err != nil {
    panic(fmt.Errorf(`failed to sign token:%w`, err))
  }

  log.Printf("%s", signed)

  parsed, err := jwt.Parse(signed, jwt.WithKey(jwa.ES512, &privateKey.PublicKey))
  if err != nil {
    panic(fmt.Errorf(`failed to parse token:%w`, err))
  }

  // going to serialize it for ease-of-view
  buf, _ := json.MarshalIndent(parsed, "", "  ")
  log.Printf("parsed: %s", buf)
}

[robbie-demuth]

I think something's up w/ the r and s calculations - definitely on the verification side, but maybe on the signing side too. When I use ecdsa.VerifyASN1(...), the r and s values it calculates and passes to ecdsa.Verify(...) are different than those that

jwx/jws/ecdsa.go

Lines 153 to 193 in 21f2928

	func (v *ecdsaVerifier) Verify(payload []byte, signature []byte, key interface{}) error {
	if key == nil {
	return fmt.Errorf(`missing public key while verifying payload`)
	}
	var pubkey ecdsa.PublicKey
	if cs, ok := key.(crypto.Signer); ok {
	cpub := cs.Public()
	switch cpub := cpub.(type) {
	case ecdsa.PublicKey:
	pubkey = cpub
	case *ecdsa.PublicKey:
	pubkey = *cpub
	default:
	return fmt.Errorf(`failed to retrieve ecdsa.PublicKey out of crypto.Signer %T`, key)
	}
	} else {
	if err := keyconv.ECDSAPublicKey(&pubkey, key); err != nil {
	return fmt.Errorf(`failed to retrieve ecdsa.PublicKey out of %T: %w`, key, err)
	}
	}
	r := pool.GetBigInt()
	s := pool.GetBigInt()
	defer pool.ReleaseBigInt(r)
	defer pool.ReleaseBigInt(s)
	n := len(signature) / 2
	r.SetBytes(signature[:n])
	s.SetBytes(signature[n:])
	h := v.hash.New()
	if _, err := h.Write(payload); err != nil {
	return fmt.Errorf(`failed to write payload using ecdsa: %w`, err)
	}
	if !ecdsa.Verify(&pubkey, h.Sum(nil), r, s) {
	return fmt.Errorf(`failed to verify signature using ecdsa`)
	}
	return nil
	}

does

[lestrrat]

tl;dr:

• AWS KMS does its own thing with encoding using DER ASN.1
• JWS does not expect DER ASN.1
• Use AWS KMS to sign/verify via a crypto.Signer wrapper like github.com/jwx-go/crypto-signer/tree/main/aws

---

Of course they will be different. github.com/lestrrat-go/jwx does NOT do any DER ASN.1 encoding/decoding on the signature, because it's not part of the spec. Read the spec yourself if you don't trust me: https://datatracker.ietf.org/doc/html/rfc7515 (hint: there's only one mention of ASN.1, and that's not in the signature)

On the other hand, when I googled for JWTs with DER ASN.1 encoded signatures, it seems to me that the AWS KMS creates these non-standard signatures that are DER ASN.1 encoded. For example: https://stackoverflow.com/questions/69619620/convert-aws-kms-ecdsa-sha-256-signature-from-der-encoded-ans-1-format-to-jwt-bas.

This seems to indicate to me that when you use AWS KMS to sign your payload, you will need to use AWS KMS to verify your payload -- i.e., by using an object that wraps AWS KMS to act like a crypto.Signer object. You're in luck because I had written something like that ages ago here: https://github.com/jwx-go/crypto-signer/tree/main/aws

The original code was written for jwx v1, but it works just as expected for v2. The only change I made to verify that it works with v2 is by applying the following changes to the tests:

diff --git a/aws/aws_test.go b/aws/aws_test.go
index 1200670..444561c 100644
--- a/aws/aws_test.go
+++ b/aws/aws_test.go
@@ -11,8 +11,8 @@ import (
        "github.com/aws/aws-sdk-go-v2/service/kms"
        "github.com/aws/aws-sdk-go-v2/service/kms/types"
        awssigner "github.com/jwx-go/crypto-signer/aws"
-       "github.com/lestrrat-go/jwx/jwa"
-       "github.com/lestrrat-go/jwx/jws"
+       "github.com/lestrrat-go/jwx/v2/jwa"
+       "github.com/lestrrat-go/jwx/v2/jws"
 )

 var _ crypto.Signer = &awssigner.RSA{}
@@ -40,12 +40,12 @@ func ExampleRSA() {
                WithAlgorithm(types.SigningAlgorithmSpecRsassaPkcs1V15Sha256).
                WithKeyID(kid)

-       signed, err := jws.Sign(payload, jwa.RS256, sv.WithContext(ctx))
+       signed, err := jws.Sign(payload, jws.WithKey(jwa.RS256, sv.WithContext(ctx)))
        if err != nil {
                panic(err.Error())
        }

-       verified, err := jws.Verify(signed, jwa.RS256, sv.WithContext(ctx))
+       verified, err := jws.Verify(signed, jws.WithKey(jwa.RS256, sv.WithContext(ctx)))
        if err != nil {
                panic(err.Error())
        }
diff --git a/aws/go.mod b/aws/go.mod
index 9f82762..354d328 100644
--- a/aws/go.mod
+++ b/aws/go.mod
@@ -6,7 +6,7 @@ require (
        github.com/aws/aws-sdk-go-v2 v1.13.0
        github.com/aws/aws-sdk-go-v2/config v1.13.0
        github.com/aws/aws-sdk-go-v2/service/kms v1.14.0
-       github.com/lestrrat-go/jwx v1.2.18-0.20220122010323-69118573cc7c
+       github.com/lestrrat-go/jwx/v2 v2.0.4
 )

 require (

[robbie-demuth]

Use AWS KMS to sign/verify via a crypto.Signer wrapper like github.com/jwx-go/crypto-signer/tree/main/aws

I'm hoping to use this library just for verification / validation. The signing application that uses AWS KMS is entirely separate and will not use this library. How do I go about using this library to verify signatures that are DER ASN.1 encoded? Can I follow https://github.com/lestrrat-go/jwx/blob/develop/v2/docs/02-jws.md#using-a-custom-signingverification-algorithm? Thanks!

[lestrrat]

I see. In that case, yes, "overwriting" the algorithm used via Register(Signer|Verifier) seems like the way to go.

[robbie-demuth]

That worked! Thanks for all your help on this!